Removing an Existing Kerberos Configuration

I attempted to set up a single sign-on; however, it did not succeed. I wanted to remove it from my environment, so I deleted the domain that was created during Kerberos configuration in the hopes that it would completely undo my configuration. Then I attempted to map network drives, and I noticed that the operation was successful when mapping with the following paths:

\\NetServerName\shareName
\\SystemName\shareName

However, the operation failed with the following path:

\\iSeriesIPAddress\sharename

Mapping with this path resulted in an Access Denied message. Communications traces did not show any Kerberos ticket being sent to the IBM System i products, nor was there any rejection recorded in the trace.

To completely remove and delete the Kerberos configuration from the environment, do the following:

Step 1: Remove EIM. Do the following:

1.	Delete the Identifiers: a In IBM iSeries Navigator, select your system and log in. b Expand Network. c Expand Enterprise Identity Mapping. d Expand Domain Management. e Select your domain and authenticate the LDAP administrator. f Expand your domain. g Select Identifiers. h In the right window pane, right-click on each identifier and select Delete....
2.	Delete the User Registries: a Select User Registries under your domain. b In the right window pane, right-click on each registry and select Delete....
3.	Delete the Domain: a Select Domain Management. b In the right window pane, right-click on your domain and select Delete.... c Click Yes on the warning message.

Step 2: Remove NAS. Do the following:

1.	In iSeries Navigator, under your system, expand Security.
2.	Expand Network Authentication Service.
3.	Select Realms.
4.	In the right window pane, right-click on the realm and select Delete.
5.	Click OK on the Confirm Realm Deletion window.

Step 3: Remove Kerberos. Do the following:

1.	Access PASE: a Sign on your System i. b Type the command call qp2term. c Type the command export PATH=$PATH:/usr/krb5/sbin.
2.	Delete the Kerberos server: a Type the command unconfig.krb5. b Type Y for the warning message. c Note the successful message. d Press F3 to exit. e Leave the session active.

Step 4: Delete the NAS Keytab file. Do the following:

Note: Deleting the NAS configuration does not delete the keytab file. A new configuration will append to the same file. This can sometimes cause errors.

1.	In the emulation session, type the command qsh.
2.	Type the command keytab list.
3.	You should see all the principal names scroll by. Roll back up to the top and note the Key table path.
4.	Return to iSeries Navigator and the Integrated File System.
5.	Expand each directory in the path /QIBM/UserData/OS400/NetworkAuthentication/keytab.
6.	Right-click on krb5.keytab and select Delete....
7.	Click Yes on the message.

Clients that were connecting through Kerberos authentication might need to clear any cached information to connect to this new configuration.